Note 1407285 - Security hole in BEx tools

Note 1407285 - Security hole in BEx tools

 

Summary

SymptomThere is a security hole in BW 3.5 Frontend for SAP GUI 7.10 and BI 7.0 Frontend for SAP GUI 7.10 that allows operating system functions to be called. This means that the affected client PC may be controlled (depending on the rights of the corresponding user account). This error also allows you to access the affected PC remotely.
Other termsSecurity, BEx tools, BEx Web Application Designer (WAD), Query Designer, BEx Analyzer, Report Designer
Reason and PrerequisitesBW 3.5 Frontend for SAP GUI 7.10 and/or BI 7.0 Frontend for SAP GUI 7.10 is installed on the client PC.
Solution

BW 3.5 Frontend for SAP GUI 7.10 (WDBCBEXC.dll): 

• The security breach is corrected with the following patch level:

• BW 3.5 Frontend for SAP GUI 7.10: Frontend Patch (FEP) 8

• With patch level 7 of GUI 7.10, the kill bit is set by default, which prevents an instantiation of the ActiveX control critical to security in the browser.

• You can find additional information about how you can set the kill bit for GUI ActiveX controls in Note 1092631. This note also provides scripts for automatically setting the kill bits in the registry of client.

BI 7.0 Frontend für SAP GUI 7.10 (BExCommon.dll): 

• The security breach is corrected with the following patch level:

• BI 7.0 Frontend for SAP GUI 7.10: Frontend Patch (FEP) 1100

• Since no COM/ActiveX technology is used in this version, an instantiation of the ActiveX controls critical to security in the browser is no longer possible by default. This correction ensures that the function critical to security within the DLL can no longer be activated and executed externally.

In the precalculation server (3.5 and 7.0 precalculation server), the security hole is closed by installing the above frontend patches.

Header Data

Release Status:	Released for Customer
Released on:	03.02.2010
Master Language:	German
Priority:	HotNews
Category:	Program error
Primary Component:	BW-BEX-ET Enduser Technology